Fortinet FortiOS and FortiProxy Vulnerable to HTTP Response Splitting
Fortinet has disclosed a vulnerability in FortiOS and FortiProxy that allows attackers with a valid web filter override token to inject arbitrary HTTP headers.

Fortinet has issued a security advisory detailing a critical vulnerability affecting its FortiOS and FortiProxy products. The flaw, identified as CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers), also known as HTTP Response Splitting, could allow an attacker to inject arbitrary HTTP headers into web filter warning pages.
The vulnerability requires an attacker to possess a valid web filter override token. By tricking a user into clicking a specially crafted link, the attacker can exploit the flaw to inject malicious headers. This could potentially lead to further security issues, such as session hijacking or redirecting users to malicious sites, depending on how the injected headers are processed by the user's browser or subsequent systems.
The CVSSv3 score for this vulnerability is rated at a moderate 3.4, indicating a lower severity but still posing a risk to affected environments. The exploitability hinges on the attacker's ability to obtain a valid web filter override token, which might be acquired through other means or social engineering tactics.
Fortinet has provided specific version information for affected products. For FortiOS, versions 7.6.0 through 7.6.4 and all versions of 7.4 and 7.2 are impacted. Similarly, FortiProxy versions 7.6.0 through 7.6.4 and all versions of 7.4 and 7.2 are also vulnerable.
To address this vulnerability, Fortinet recommends upgrading to fixed releases. Specifically, users of affected FortiOS 7.6 and FortiProxy 7.6 versions should upgrade to 7.6.5 or later. For versions 7.4 and 7.2 of both products, users are advised to migrate to a fixed release, with Fortinet providing an upgrade tool to assist in this process.
Fortinet acknowledged Yaniv Nizry from Sonar for responsibly disclosing the vulnerability. The timeline indicates initial publication on July 14, 2026, suggesting that the vendor has had time to develop and release patches.
Organizations utilizing FortiOS and FortiProxy should prioritize applying the recommended updates to mitigate the risk of exploitation. The ability for an attacker to inject arbitrary headers, even with the prerequisite of a valid token, represents a significant security concern that could be chained with other attacks.
Fortinet has also released an advisory for a separate Cross-Site Scripting (XSS) vulnerability in FortiSIEM, identified as CWE-80. This flaw, affecting multiple versions of FortiSIEM, allows a privileged administrator to execute unauthorized commands through crafted requests. The vulnerability has a CVSSv3 score of 5.3, and Fortinet has provided specific upgrade paths for affected versions.